See exactly how we generate cryptographic random values
Security through obscurity is not security. We believe you should be able to inspect and verify the code that generates your cryptographic keys and random values. Below is the actual source code from our production systems.
crypto/rand packageThe foundation of all our cryptographic operations. Uses the OS CSPRNG directly.
// GET /api/bytes - Generate cryptographically secure random bytes
func (s *Server) HandleBytes(w http.ResponseWriter, r *http.Request) {
length := 16
if l := r.URL.Query().Get("length"); l != "" {
if v, err := strconv.Atoi(l); err == nil && v > 0 && v <= 1024 {
length = v
}
}
// crypto/rand.Read uses the OS CSPRNG:
// - Linux: getrandom() syscall or /dev/urandom
bytes := make([]byte, length)
rand.Read(bytes) // crypto/rand, NOT math/rand
jsonResponse(w, map[string]any{
"bytes": bytes, // JSON encodes as base64
"length": length,
})
}RSA keys are generated using Go's standard library with FIPS-compliant key sizes.
// GET /api/crypto/rsa - Generate RSA key pair
func (s *Server) HandleRSA(w http.ResponseWriter, r *http.Request) {
bits := 2048
if b := r.URL.Query().Get("bits"); b != "" {
switch b {
case "1024", "2048", "3072", "4096":
bits, _ = strconv.Atoi(b)
default:
jsonError(w, "bits must be 1024, 2048, 3072, or 4096", 400)
return
}
}
// rsa.GenerateKey uses crypto/rand.Reader internally
// This ensures CSPRNG is used for prime generation
privateKey, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
jsonError(w, "failed to generate RSA key", 500)
return
}
// Encode to PEM format
privateKeyBytes := x509.MarshalPKCS1PrivateKey(privateKey)
privateKeyPEM := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: privateKeyBytes,
})
publicKeyBytes, _ := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
publicKeyPEM := pem.EncodeToMemory(&pem.Block{
Type: "PUBLIC KEY",
Bytes: publicKeyBytes,
})
jsonResponse(w, map[string]any{
"algorithm": "RSA",
"bits": bits,
"private_key": string(privateKeyPEM),
"public_key": string(publicKeyPEM),
})
}Elliptic curve keys using NIST-approved curves (P-224, P-256, P-384, P-521).
// GET /api/crypto/ecdsa - Generate ECDSA key pair
func (s *Server) HandleECDSA(w http.ResponseWriter, r *http.Request) {
curveName := r.URL.Query().Get("curve")
if curveName == "" {
curveName = "P256"
}
// NIST-approved curves per FIPS 186-4
var curve elliptic.Curve
switch curveName {
case "P224":
curve = elliptic.P224()
case "P256":
curve = elliptic.P256() // Also known as secp256r1
case "P384":
curve = elliptic.P384()
case "P521":
curve = elliptic.P521()
default:
jsonError(w, "curve must be P224, P256, P384, or P521", 400)
return
}
// Generate key using crypto/rand
privateKey, err := ecdsa.GenerateKey(curve, rand.Reader)
if err != nil {
jsonError(w, "failed to generate ECDSA key", 500)
return
}
// ... PEM encoding (similar to RSA)
}Symmetric keys generated directly from the CSPRNG.
// GET /api/crypto/aes - Generate AES symmetric key
func (s *Server) HandleAES(w http.ResponseWriter, r *http.Request) {
bits := 256
if b := r.URL.Query().Get("bits"); b != "" {
switch b {
case "128", "192", "256": // FIPS 197 approved sizes
bits, _ = strconv.Atoi(b)
default:
jsonError(w, "bits must be 128, 192, or 256", 400)
return
}
}
keyBytes := bits / 8
key := make([]byte, keyBytes)
rand.Read(key) // Direct CSPRNG read
// Generate IV for CBC/GCM modes (16 bytes for AES)
iv := make([]byte, 16)
rand.Read(iv)
jsonResponse(w, map[string]any{
"algorithm": "AES",
"bits": bits,
"key_hex": hex.EncodeToString(key),
"key_base64": key, // JSON encodes as base64
"iv_hex": hex.EncodeToString(iv),
"iv_base64": iv,
})
}Version 4 UUIDs using cryptographically secure random bytes.
// GET /api/uuid - Generate UUID v4
func (s *Server) HandleUUID(w http.ResponseWriter, r *http.Request) {
// github.com/google/uuid uses crypto/rand internally
// UUID v4 = 122 bits of random data + 6 version/variant bits
id := uuid.New()
jsonResponse(w, map[string]string{"uuid": id.String()})
}For non-cryptographic random numbers, we use math/rand/v2 seeded from crypto/rand.
import (
"crypto/rand" // CSPRNG for crypto operations
mrand "math/rand/v2" // Fast PRNG for non-sensitive random
)
// GET /api/number - Random integer in range
func (s *Server) HandleNumber(w http.ResponseWriter, r *http.Request) {
minVal := int64(0)
maxVal := int64(100)
// ... parse min/max from query params
// math/rand/v2 auto-seeds from runtime entropy
// For ranges, uniform distribution is more important than
// cryptographic unpredictability
result := minVal + mrand.Int64N(maxVal - minVal + 1)
jsonResponse(w, map[string]int64{
"result": result,
"min": minVal,
"max": maxVal,
})
}crypto/rand — Go standard library CSPRNGcrypto/rsa — Go standard library RSA implementationcrypto/ecdsa — Go standard library ECDSA implementationcrypto/ed25519 — Go standard library Ed25519 implementationgithub.com/google/uuid — Google's UUID library (uses crypto/rand)